See our Outsourcing Provider Directory here

Information Security in Outsourcing Agreements

Information security becomes more important every day. There are ever more privacy laws. There are ever more hackers. Computer viruses become more virulent and ambitious. The war on terrorism, as well as the distribution of data on the Internet, is exposing new security holes every day.

In information security, many customers are now shifting their focus from getting their own house in order to making sure that their suppliers’ houses are in order. Employee and customer data, as well as other valuable information obtained through sourcing, is in the hands of these suppliers. Outsourcing agreements provide the means to protect that information, but many lack key provisions.

What Is Information Security?

Information security means:

  • Integrity: gathering and maintaining accurate information and avoiding malicious modification.
  • Availability: providing access to the information when and where desired.
  • Confidentiality: avoiding disclosure to unauthorized or unwanted persons.

Why Is Information Security Important?

Suppliers today need to protect both their own information and other people’s information. A supplier’s own information might include its financial information, proprietary methods for creating and delivering its products, customer lists, or business plans. Other people’s information might include licensed software and personally identifiable information (such as employee or customer records).

This is not merely a matter of competitive advantage. A supplier that discloses financial information or releases maliciously modified financial information could be liable under the securities laws. A supplier that discloses licensed software could be liable under the software license agreement, trade secret laws, and copyright laws. A supplier that discloses information about, for example, a person’s financial status, heath condition or employment could be liable under privacy laws.

These types of regulatory, legal, statutory and contractual requirements are not limited to actions by a supplier. A customer can be liable for information security breaches by suppliers, and, of course, a customer suffers equally if its own information is disclosed by its own people or by a supplier’s people.

How Do You Assess a Supplier’s Level of Information Security?

Information security should be on every supplier’s due diligence list as you review suppliers. However, it is difficult to find a clear metric for security. For example, one cannot determine the number of attacks that were discouraged or the number of disgruntled employees who decided not to attack because of strong information security. Thus, suppliers might consider the following indicators of good security:

  • A written and realistic security policy.
  • A management with a visible commitment to security.
  • Evidence that the supplier has assessed security risks, understood legal requirements, and implemented steps to address the security risks.
  • The supplier’s operational team, when interviewed, shows a good understanding of security issues and demonstrates satisfactorily how the supplier deals with those issues.
  • The supplier has adopted a well-accepted security standard, such as ISO/IEC 17799 Code of Practice for Information Security Management, the U.S. Department of Commerce’s NIST Special Publication 800 Series, and the ISO/IEC TR 13355 Guidelines for Management of IT Security.
  • Simple and obvious steps, such as having a disaster recovery arrangement in place, backing up data regularly, requiring keycard to access key facilities, protecting all databases with passwords, and making a background check a condition to hiring employees.

Potential customers should also inquire as to whether the supplier performs services under the legal controls that affect the customer. For example, health care institutions in the U.S. are affected by the HIPAA (Health Insurance Privacy and Portability Act) privacy regulations. These are dense and difficult to comply with. As a result, if the prospective supplier is not already complying with the HIPAA privacy regulations, the customer should seek assurances that the supplier is willing and able to comply.

What Do You Put In the Contract?

Outsourcing agreements should include covenants requiring information security. For example, the supplier should agree to:

  • Keep confidential all information provided by the customer, on behalf of the customer, or as a result of performing services for the customer. Note that this protection is generally limited in a variety of ways (such as information being publicly available) and thus this is not sufficient protection.
  • Abide by all relevant privacy laws including those listed in the agreement.
  • Allow security audits on the supplier’s systems, including hiring an “ethical hacking” firm to test the strength of the supplier’s firewalls.
  • Protect all information whether or not confidential with appropriate physical and logical controls. For example, access to customer data should require user IDs and passwords and a need-to-know authorization process. The supplier should agree to provide the names of all persons with such access upon request.
  • Revoke access for any user upon a security breach or customer’s request.
  • Use reasonable efforts, including employment of industry-standard virus protection software, to avoid viruses, worms, back-doors, trap doors, time bombs and other malicious software.
  • Provide a copy of all customer data in the supplier’s possession or under its control, in a reasonable format, upon customer’s request.
  • Never grant any subcontractor access to the supplier’s data unless the supplier has approved the subcontractor and the subcontract includes all of the security provisions of the outsourcing agreement.
  • Report all security breaches or incidents to the customer.
  • Have, maintain and follow an acceptable business recovery plan (including disaster recovery, data backup, alternate power and similar topics).

Of course, these are merely examples. Different provisions will be appropriate in different types of outsourcing transactions.

Lessons from the Outsourcing Journal:

  • Information security is an increasingly important topic.
  • The consequences of an information security breach include business harm and legal liability.
  • Outsourcing contracts should include robust provisions for information security.

Attorney Brad L. Peterson is a partner in the IT and Outsourcing Practice at Mayer, Brown, Rowe & Maw in Chicago. He is the co-author of The Smart Way to Buy Information Technology: How to Maximize Value and Avoid Costly Pitfalls (AMACOM Books, 1998). You can reach him at [email protected].

Get 3 Free Quotes Logo

  • Save 70%
  • Unrivaled expertise
  • Verified leading firms
  • Transparent, safe, secure

Get Started

Book a Call Now Logo

Start your Outsourcing Journey in 15 seconds.

Get Started

Outsourcing

Dive into “Outsourcing”

A Guide to … Selecting the Correct Business Unit … Negotiating the Contract … Maintaining Control of the Process

Order now

Outsourcing Articles

Start your
outsourcing
journey here

"*" indicates required fields

Start your outsourcing journey.

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

This guide will walk you through some areas most important when outsourcing, such as
  • Identifying Your Outsourcing Needs Intelligently
  • Research & Selection
  • The Bidding Process
  • Contracts & Agreements
  • Implementation & Onboarding
  • Ongoing Management
  • Evaluating Success
  • Additional Resources

Book a call with an outsourcing expert now

This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Become an OC Partner
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Media Inquiries for OC
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Subscribe to our Newsletter
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit Press Release
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Submit an Article
Accepted file types: pdf, doc, docx, Max. file size: 8 MB.
This field is for validation purposes and should be left unchanged.

"*" indicates required fields

Request Ben Trowbridge as a Keynote Speaker
This field is for validation purposes and should be left unchanged.

Go to standard quote

Exclusive Enterprise Assistance

  • Independent
  • Trusted
  • Transparent

Offshore staffing solutions for enterprise. Independent expertise, advice & implementation

  • 200+ Firms, Global Reach
  • Offshore, Nearshore, Onshore, Rightshore
  • Managed Request for Proposal (RFP)
  • Assisted Procurement Processes
  • Vendor Management
  • Unique Build Operate Transfer model
  • Captive & Shared Services
  • Champion-Challenger
  • Multi-site, multi-vendor, multi-source
  • Managed Solutions

For Enterprise and large teams only

  • Book 20-minute consult, obligation free

You will get:

  • Needs Analysis & Report
  • Salary Guidance & Indicative Pricing
  • Process Map

Only takes 1 minute to complete the form

Get Started

Not an enterprise?

Go to standard quote